Hello, I just uploaded cryptsetup 1.0.6-7 with urgency=medium to debian/unstable. This version should be unblocked for lenny as it fixes one grave , one important and several normal to wishlist bugs. The complete changelog entry and debdiff are attached.
The debdiff is not that small, but it includes mostly documentation changes. cryptsetup provides a udeb, thus i'm cc-ing debian-boot. Changelog: cryptsetup (2:1.0.6-7) unstable; urgency=medium * Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE in configure.in. * Support keyfiles option in bash completion. Thanks to Stefan Goebel for the patch. (closes: #499936) * Update patches/02_manpage.patch: Fix the documnetation of default cipher for LUKS mappings. (closes: #495832) * Update debian/watch file to reflect the move of project home to code.google.com. * Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of cryptdisks.functions. This way, cryptdisks_start/stop work even with $CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643) * Add force-start to cryptdisks(-early).init in order to support starting noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779) * Document how to enable remote device unlocking via dropbear ssh server in the initramfs during boot process. Thanks to Chris <deb...@x.ray.net> for the great work. (closes: #465902) * Completely remove support and documentation of the timeout option, document this in NEWS.Debian. (closes: #495509, #474120) * Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner. (closes: #499704) * Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev. Thanks to Christoph Anton Mitterer. * cryptdisks.functions: - Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs script already supports keyscripts without path as argument. Thanks to Christoph Anton Mitterer. * README.initramfs: - Remove the mention of bug #398302 from the section about suspend/resume, as this bug has been fixes for some time now. - Remove step 6 (mkswap) from the section about decrypt_derived, as it was superfluous. Thanks to Helmut Grohe. (closes: #491867) * Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange. Thanks to Marc Haber. (closes: #506536) * Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required to detect the dm-crypt device in setups with more than one level of device mapper mappings. For example if LVM is used with snapshots on top of the dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721) * urgency=medium due to several important fixes. -- Jonas Meurer <m...@debian.org> Wed, 17 Dec 2008 21:25:45 +0100 Please don't hesitate to ask when you've questions regarding the upload. greetings, jonas
diff -u cryptsetup-1.0.6/debian/watch cryptsetup-1.0.6/debian/watch --- cryptsetup-1.0.6/debian/watch +++ cryptsetup-1.0.6/debian/watch @@ -2 +2 @@ -opts="uversionmangle=s/luks-//;s/-pre/~pre/;s/-rc/~rc/" http://luks.endorphin.org/source/cryptsetup-(.*)\.tar\.bz2 +opts="uversionmangle=s/luks-//;s/-pre/~pre/;s/-rc/~rc/" http://cryptsetup.googlecode.com/files/cryptsetup-(.*)\.tar\.bz2 diff -u cryptsetup-1.0.6/debian/NEWS cryptsetup-1.0.6/debian/NEWS --- cryptsetup-1.0.6/debian/NEWS +++ cryptsetup-1.0.6/debian/NEWS @@ -1,3 +1,19 @@ +cryptsetup (2:1.0.6-7) unstable; urgency=medium + + Support for the timeout option has been removed from cryptdisks initscripts + in order to support splash screens and remote shells in boot process. + The implementation had been unclean and produced many anyway. + If you used the timeout option on headless systems without physical access, + then it's a much cleaner solution anyway, to use the 'noauto' option in + /etc/crypttab, and start the encrypted devices manually with + '/etc/init.d/cryptdisks force-start'. + Another approach is to start a minimal ssh-server in the initramfs and unlock + the encrypted devices after connecting to it. This even supports encrypted + root filesystems for headless server systems. + For more information, please see /usr/share/docs/cryptsetup/README.Debian.gz + + -- Jonas Meurer <m...@debian.org> Tue, 16 Dec 2008 18:37:16 +0100 + cryptsetup (2:1.0.6-4) unstable; urgency=medium The obsolete keyscript decrypt_old_ssl and the corresponding example script diff -u cryptsetup-1.0.6/debian/README.initramfs cryptsetup-1.0.6/debian/README.initramfs --- cryptsetup-1.0.6/debian/README.initramfs +++ cryptsetup-1.0.6/debian/README.initramfs @@ -138,9 +138,6 @@ in combination with encryption to keep the resume image safe from potential attackers. -Note: This will not work as expected until #398302 has been fixed as the -decrypted suspend image will currently not be recognized as such. - If your resume device and your root partition use two different cryptsetup mappings, you might want to use the "decrypt_derived" keyscript as described below. @@ -166,9 +163,8 @@ cryptswap /dev/hda2 cryptroot cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived,swap 4) /etc/init.d/cryptdisks start 5) Make sure that /dev/mapper/cryptswap has been created -6) mkswap /dev/mapper/cryptswap -7) swapon -a -8) (optional) update-initramfs -u +6) swapon -a +7) (optional) update-initramfs -u After you've followed the above steps, your swap device should be setup automatically after the root device has been setup during the boot stage. diff -u cryptsetup-1.0.6/debian/cryptdisks-early.init cryptsetup-1.0.6/debian/cryptdisks-early.init --- cryptsetup-1.0.6/debian/cryptdisks-early.init +++ cryptsetup-1.0.6/debian/cryptdisks-early.init @@ -23,6 +23,12 @@ exit 0 fi +case "$CRYPTDISKS_ENABLE" in +[Nn]*) + exit 0 + ;; +esac + case "$1" in start) do_start @@ -34,8 +40,12 @@ do_stop do_start ;; +force-start) + FORCE_START="yes" + do_start + ;; *) - echo "Usage: cryptdisks-early {start|stop|restart|reload|force-reload}" + echo "Usage: cryptdisks-early {start|stop|restart|reload|force-reload|force-start}" exit 1 ;; esac diff -u cryptsetup-1.0.6/debian/cryptdisks.init cryptsetup-1.0.6/debian/cryptdisks.init --- cryptsetup-1.0.6/debian/cryptdisks.init +++ cryptsetup-1.0.6/debian/cryptdisks.init @@ -23,6 +23,12 @@ exit 0 fi +case "$CRYPTDISKS_ENABLE" in +[Nn]*) + exit 0 + ;; +esac + case "$1" in start) do_start @@ -34,8 +40,12 @@ do_stop do_start ;; +force-start) + FORCE_START="yes" + do_start + ;; *) - echo "Usage: cryptdisks {start|stop|restart|reload|force-reload}" + echo "Usage: cryptdisks {start|stop|restart|reload|force-reload|force-start}" exit 1 ;; esac diff -u cryptsetup-1.0.6/debian/changelog cryptsetup-1.0.6/debian/changelog --- cryptsetup-1.0.6/debian/changelog +++ cryptsetup-1.0.6/debian/changelog @@ -1,3 +1,47 @@ +cryptsetup (2:1.0.6-7) unstable; urgency=medium + + * Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE + in configure.in. + * Support keyfiles option in bash completion. Thanks to Stefan Goebel for + the patch. (closes: #499936) + * Update patches/02_manpage.patch: Fix the documnetation of default cipher + for LUKS mappings. (closes: #495832) + * Update debian/watch file to reflect the move of project home to + code.google.com. + * Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of + cryptdisks.functions. This way, cryptdisks_start/stop work even with + $CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643) + * Add force-start to cryptdisks(-early).init in order to support starting + noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779) + * Document how to enable remote device unlocking via dropbear ssh server + in the initramfs during boot process. Thanks to Chris <deb...@x.ray.net> + for the great work. (closes: #465902) + * Completely remove support and documentation of the timeout option, + document this in NEWS.Debian. (closes: #495509, #474120) + * Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner. + (closes: #499704) + * Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev. + Thanks to Christoph Anton Mitterer. + * cryptdisks.functions: + - Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs + script already supports keyscripts without path as argument. Thanks to + Christoph Anton Mitterer. + * README.initramfs: + - Remove the mention of bug #398302 from the section about suspend/resume, + as this bug has been fixes for some time now. + - Remove step 6 (mkswap) from the section about decrypt_derived, as it was + superfluous. Thanks to Helmut Grohe. (closes: #491867) + * Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange. + Thanks to Marc Haber. (closes: #506536) + * Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required + to detect the dm-crypt device in setups with more than one level of device + mapper mappings. For example if LVM is used with snapshots on top of the + dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben + Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721) + * urgency=medium due to several important fixes. + + -- Jonas Meurer <m...@debian.org> Wed, 17 Dec 2008 21:25:45 +0100 + cryptsetup (2:1.0.6-6) unstable; urgency=high * Don't cat keyfile into pipe for do_noluks(). cryptsetup handles diff -u cryptsetup-1.0.6/debian/cryptdisks.default cryptsetup-1.0.6/debian/cryptdisks.default --- cryptsetup-1.0.6/debian/cryptdisks.default +++ cryptsetup-1.0.6/debian/cryptdisks.default @@ -15,4 +14,0 @@ - -# Default timeout in seconds for password prompt -# Takes effect, if the 'timeout' option is set in crypttab without a value -CRYPTDISKS_TIMEOUT=180 diff -u cryptsetup-1.0.6/debian/README.Debian cryptsetup-1.0.6/debian/README.Debian --- cryptsetup-1.0.6/debian/README.Debian +++ cryptsetup-1.0.6/debian/README.Debian @@ -15,7 +15,9 @@ 6. Cryptsetup and Splashy - 7. Credits + 7. Remotely unlock encrypted rootfs + + 8. Credits 1. Introduction into Cryptsetup for Debian @@ -151,6 +153,7 @@ See man crypttab(5) for more information about the checksystem. + 6. Cryptsetup and Splashy ------------------------- @@ -164,7 +167,40 @@ nor in askpass, the keyscript that is responsible for cryptsetups passphrase input dialogs. -7. Credits + +7. Remotely unlock encrypted rootfs +----------------------------------- + + Thanks to Chris <deb...@x.ray.net> it's possible to install a dropbear ssh +server into the initramfs, connect to this ssh server during execution of +initramfs early in the boot process, and unlock encrypted devices - even the +root device - before the boot process continues. + + This way it is possible to use an encrypted root filesystem on headless +systems where no physical access is available during boot process. + + Unfortunately dropbear 0.52-1 is required for this to work. As this version +is not incuded in lenny, you'll have to install it manually. Thankfully this +version configures everything automatically, so all you have to do after +installing dropbear on the remote system, is to copy the root ssh keyfile from +/etc/initramfs/root/ssh/id_rsa to your local system: + +$ scp remote.system.com:/etc/initramfs/root/ssh/id_rsa remote_rsa + + Now the remote system should start dropbear automatically during initramfs +excecution at the boot process. You can login into the initramfs via ssh + +$ ssh -i remote_rsa -l root remote.system.com + + and echo the passphrase to a fifo file on the remote system: + +# echo -n "my_secret_passphrase" > /lib/cryptsetup/passfifo + + That's it. Now that the encrypted root device is unlocked, the remote system +should continue with the boot process. + + +8. Credits ---------- People who contributed to documentation for the Debian cryptsetup package: diff -u cryptsetup-1.0.6/debian/bash_completion cryptsetup-1.0.6/debian/bash_completion --- cryptsetup-1.0.6/debian/bash_completion +++ cryptsetup-1.0.6/debian/bash_completion @@ -18,6 +18,11 @@ argopts="$argopts -t --timeout -T --tries" noargopts="-y --verify-passphrase --readonly --version --align-payload" + # complete file names for -d and --key-file + if [ "-d" = "$prev" -o "--key-file" = "$prev" ] ; then + COMPREPLY=( $(compgen -f -- "${cur}") ) + fi + # If previous word was an option requiring an argument, can't complete for argopt in $argopts ; do if [ "$argopt" = "$prev" ] ; then diff -u cryptsetup-1.0.6/debian/cryptdisks.functions cryptsetup-1.0.6/debian/cryptdisks.functions --- cryptsetup-1.0.6/debian/cryptdisks.functions +++ cryptsetup-1.0.6/debian/cryptdisks.functions @@ -21,13 +21,6 @@ MOUNT="$CRYPTDISKS_MOUNT" -case "$CRYPTDISKS_ENABLE" in -[Nn]*) - exit 0 - ;; -esac - - # Parses the option field from the crypttab file parse_opts () { local opts opt IFS PARAM VALUE @@ -43,7 +36,6 @@ TMPFS="" MAKESWAP="" USELUKS="" - TIMEOUT="" KEYSCRIPT="" IGNORE="" @@ -135,16 +127,6 @@ log_warning_msg "$dst: option tries used with an incorrect argument - forced to $TRIES" fi ;; - timeout) - if [ -z "$VALUE" ]; then - TIMEOUT="$CRYPTDISKS_TIMEOUT" - elif echo "$VALUE" | grep -q "^[[:digit:]]\+$"; then - TIMEOUT="$VALUE" - else - log_warning_msg "$dst: option timeout used with an incorrect argument - forced to '$TIMEOUT'" - fi - PARAMS="$PARAMS --timeout=$TIMEOUT" - ;; swap) MAKESWAP="yes" SWCHECK="/lib/cryptsetup/checks/un_vol_id" @@ -177,11 +159,17 @@ if [ -n "$KEYSCRIPT" ]; then log_warning_msg "$dst: multiple key decryption options are not allowed together, skipping" return 1 + elif [ -x "$VALUE" ]; then + KEYSCRIPT="$VALUE" + elif [ -x "/lib/cryptsetup/scripts/$VALUE" ]; then + KEYSCRIPT="/lib/cryptsetup/scripts/$VALUE" elif [ -z "$VALUE" ]; then log_warning_msg "$dst: no value for keyscript option, skipping" return 1 + else + log_warning_msg "script $VALUE is not an executable script, skipping" + return 1 fi - KEYSCRIPT="$VALUE" ;; esac done @@ -230,16 +218,13 @@ # If the keyscript option is set, the "key" is just an argument to # the keyscript and not necessarily a file if [ -n "$KEYSCRIPT" ]; then - INTERACTIVE="yes" return 0 fi if [ -z "$key" ] || [ "$key" = "none" ]; then key="" - INTERACTIVE="yes" return 0 fi - INTERACTIVE="no" if [ ! -e "$key" ]; then log_warning_msg "$dst: keyfile not found" @@ -517,7 +502,7 @@ fi # Ignore noauto devices - if [ "$IGNORE" = "yes" ]; then + if [ "$IGNORE" = "yes" ] && [ -z "$FORCE_START" ]; then device_msg "$dst" "ignored" continue fi diff -u cryptsetup-1.0.6/debian/patches/02_manpage.patch cryptsetup-1.0.6/debian/patches/02_manpage.patch --- cryptsetup-1.0.6/debian/patches/02_manpage.patch +++ cryptsetup-1.0.6/debian/patches/02_manpage.patch @@ -1,7 +1,7 @@ ## 02_manpage.patch -## by Martin Pitt <martin.p...@ubuntu.com> +## by Martin Pitt <martin.p...@ubuntu.com> and others ## -## clarify default key sizes in cryptsetup.8 manpage +## several documentation and typo fixes. --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -11,6 +11,15 @@ .SH NAME cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension) .SH SYNOPSIS +@@ -87,7 +87,7 @@ + specifies hash to use for password hashing. This option is only relevant for the "create" action. The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. Default is "ripemd160". + .TP + .B "\-\-cipher, \-c" +-set cipher specification string. Usually, this is "aes-cbc-plain". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256". ++set cipher specification string. For plain dm-crypt mappings, the default is "aes-cbc-plain", for LUKS mappings it's "aes-cbc-essiv:sha256". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256". + .TP + .B "\-\-verify-passphrase, \-y" + query for passwords twice. Useful when creating a (regular) mapping for the first time, or when running \fIluksFormat\fR. @@ -101,7 +101,7 @@ For LUKS operations that add key material, this options allows to you specify which key slot is selected for the new key. This option can be used for luksFormat and luksAddKey. .TP diff -u cryptsetup-1.0.6/debian/patches/series cryptsetup-1.0.6/debian/patches/series --- cryptsetup-1.0.6/debian/patches/series +++ cryptsetup-1.0.6/debian/patches/series @@ -1,2 +1,3 @@ +01_gettext_package.patch 02_manpage.patch #03_check_for_root.patch diff -u cryptsetup-1.0.6/debian/doc/crypttab.xml cryptsetup-1.0.6/debian/doc/crypttab.xml --- cryptsetup-1.0.6/debian/doc/crypttab.xml +++ cryptsetup-1.0.6/debian/doc/crypttab.xml @@ -212,17 +212,6 @@ </varlistentry> <varlistentry> - <term><emphasis>timeout</emphasis>=<sec></term> - <listitem> - <simpara> - If key is <quote>none</quote>, the cryptdisks script interactively - prompts for a password. The timeout option specifies the time in - seconds to wait for the password before timing out. - </simpara> - </listitem> - </varlistentry> - - <varlistentry> <term><emphasis>noearly</emphasis></term> <listitem> <simpara>The cryptsetup init scripts are invoked twice during the boot @@ -380,16 +369,6 @@ </simpara> </listitem> </varlistentry> - - <varlistentry> - <term><emphasis>CRYPTDISKS_TIMEOUT</emphasis></term> - <listitem> - <simpara>Specifies the time in seconds to wait for the password before - timing out. Takes effect if the <emphasis>timeout</emphasis> option is - given in crypttab with no value. - </simpara> - </listitem> - </varlistentry> </variablelist> </refsect1> diff -u cryptsetup-1.0.6/debian/scripts/decrypt_ssl cryptsetup-1.0.6/debian/scripts/decrypt_ssl --- cryptsetup-1.0.6/debian/scripts/decrypt_ssl +++ cryptsetup-1.0.6/debian/scripts/decrypt_ssl @@ -17 +17 @@ -return $? +exit $? diff -u cryptsetup-1.0.6/debian/initramfs/cryptpassdev-hook cryptsetup-1.0.6/debian/initramfs/cryptpassdev-hook --- cryptsetup-1.0.6/debian/initramfs/cryptpassdev-hook +++ cryptsetup-1.0.6/debian/initramfs/cryptpassdev-hook @@ -18,11 +18,11 @@ . /usr/share/initramfs-tools/hook-functions -# Hooks for adding filesystem modules to the initramfs when the mountdev +# Hooks for adding filesystem modules to the initramfs when the passdev # keyscript is used -# Check whether the mountdev script has been included -if [ ! -x "${DESTDIR}/keyscripts/mountdev" ]; then +# Check whether the passdev script has been included +if [ ! -x "${DESTDIR}/keyscripts/passdev" ]; then exit 0 fi @@ -32,7 +32,7 @@ # who needs to create a new cryptkey (using a backup of a keyfile) on # a windows-machine for example. -# This list needs to be kept in sync with the one defined in mountdev.c +# This list needs to be kept in sync with the one defined in passdev.c for fs in ext3 ext2 vfat reiserfs xfs isofs udf; do manual_add_modules "$fs" > /dev/null 2>&1 || true done diff -u cryptsetup-1.0.6/debian/initramfs/cryptroot-hook cryptsetup-1.0.6/debian/initramfs/cryptroot-hook --- cryptsetup-1.0.6/debian/initramfs/cryptroot-hook +++ cryptsetup-1.0.6/debian/initramfs/cryptroot-hook @@ -137,11 +137,12 @@ for dep in $deps; do maj=${dep%,*} min=${dep#*,} - depnode=$(dmsetup ls | sed -n "s/\\([^ ]*\\) *($maj, $min)/\\1/p") + depnode=$(dmsetup ls | sed -n "s/\\([^ ]*\\) *($maj, $min)/\\1/p" | sed -e "s/[ \t]*$//") if [ -z "$depnode" ]; then continue fi - if [ "$(dmsetup table $depnode 2> /dev/null | cut -d' ' -f3)" != "crypt" ]; then + if [ "$(dmsetup table "$depnode" 2> /dev/null | cut -d' ' -f3)" != "crypt" ]; then + get_lvm_deps "$depnode" continue fi echo "$depnode" @@ -347,7 +348,7 @@ fi # Get crypttab root options - if ! get_device_opts $node $opts; then + if ! get_device_opts "$node" "$opts"; then continue fi echo "$OPTIONS" >> "$DESTDIR/conf/conf.d/cryptroot" diff -u cryptsetup-1.0.6/debian/initramfs/cryptroot-script cryptsetup-1.0.6/debian/initramfs/cryptroot-script --- cryptsetup-1.0.6/debian/initramfs/cryptroot-script +++ cryptsetup-1.0.6/debian/initramfs/cryptroot-script @@ -124,7 +124,7 @@ vg="${1#/dev/mapper/}" # Sanity checks - if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then + if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then return 1 fi @@ -139,7 +139,7 @@ # Reduce padded --'s to -'s vg=$(echo ${vg} | sed -e 's#--#-#g') - vgchange -ay ${vg} + lvm vgchange -ay ${vg} return $? } only in patch2: unchanged: --- cryptsetup-1.0.6.orig/debian/patches/01_gettext_package.patch +++ cryptsetup-1.0.6/debian/patches/01_gettext_package.patch @@ -0,0 +1,16 @@ +## 01_gettext_package.patch +## by Jonas Meurer <jo...@freesources.org> +## +## remove -luks from GETTEXT_PACKAGE in configure.in + +--- a/configure.in ++++ b/configure.in +@@ -45,7 +45,7 @@ + + dnl ========================================================================== + +-GETTEXT_PACKAGE=cryptsetup-luks ++GETTEXT_PACKAGE=cryptsetup + AC_SUBST(GETTEXT_PACKAGE) + AC_DEFINE_UNQUOTED(GETTEXT_PACKAGE,"$GETTEXT_PACKAGE", + [Definition for the gettext package name])